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The  Resiliency  Model  Project 


Collaboration  between  FSTC  and  Carnegie  Mellon’s  Software 
Engineering  Institute 

Multi-phased  effort  to  help  financial  organizations  to  measure 
and  improve  their  resiliency  capabilities 

Focused  on  the  resiliency  engineering  process 

Encompasses  security,  business  continuity,  and  IT  operations 
practices  with  focus  on  operational  risk  management 

Codified  in  the  “Resiliency  Engineering  Framework” 

Establishes  a  foundation  for  resiliency  process  improvement 
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Software  Engineering  Institute 


Established  in  1984 


Federally  Funded  Research  and  Development  Center  (FFRDC) 

College-level  unit  of  Carnegie  Mellon  University 

Includes  five  technical  programs  aimed  helping  defense, 
government,  industry,  and  academic  organizations  to  continually 
improve  software-intensive  systems 

Widely-known  areas  of  expertise 


•  CERT  Coordination  Center  (security) 

•  CMMI  Capability  Maturity  Model  Integration  (process 
improvement) 
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An  expanded  risk  environment 


Supply  Chain 


Disasters 


Regulations 


Cyber  Security 


Terrorism 
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Resiliency... more  than  a  buzzword 


Resiliency  is  the  ability  of  an  object  to  return  to 
its  original  shape 

Operational  resiliency  refers  to  an 
organization’s  ability  to  function  and  adapt 
through  the  lifecycle  of  disruptions 


A  resiliency  model  is  a  roadmap  for  managing 
the  consistent  delivery  of  products  and  services 
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Managing  resiliency  is  a  challenge 


Requires 

•  Ongoing  measurement  and  monitoring 

•  Balancing  cost  and  risk  tradeoffs 

•  Taking  an  enterprise  focus 

Financial  Services  organizations  recognize  a 
need  to  be  able  to  manage  resiliency  in  a 
systematic,  consistent,  measurable,  and 
improvable  way 
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Resiliency  engineering  in  practice 


The  process  by  which  an  organization  establishes ,  develops , 
implements,  and  manages  the  operational  resiliency  of  services, 
related  business  processes,  and  associated  assets 
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Collaborating  toward  a  common  goal 
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A  framework  is  needed  to. . . 


Identify  and  prioritize  risk  exposures 

Define  a  process  improvement 
roadmap 

Measure  and  facilitate  strategic 
planning 

Address  interdependencies 

Promote  pro-active  regulatory 
compliance 
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Goal:  continuous  improvement  of  resiliency  processes 


QEPj  |  -==■  Software  Engineering  Institute  |  Camcji  d  It  j^nj 


FRB  Bus  Con  Conference  2006 

©  2006  Carnegie  Mellon  University 


10 


Why  use  a  “framework”  approach? 


Provides  an  operational  risk  roadmap 

Vendor-neutral,  standardized,  unbiased 
assessment  vehicle 

Can  be  leveraged  for  process 
improvement  at  any  organization,  public 
or  private 

Avoids  the  pitfalls  of  prescriptive  solutions 
by  promoting  resiliency  engineering  and 
the  use  of  organization-appropriate 
practices 
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The  Resiliency  Engineering  Framework 


An  integrated  process  improvement  framework  for 
security  and  business  continuity 

Defines  basic  process  areas  and  provides  guidelines  for 
improving  security  and  BC  processes 

Addresses  operational  risk  management  through  process 
management 

Vital  linkages  between  security,  BC,  and  l/T  ops  are 
captured  in  the  process  definition 

Establishes  a  capability  benchmark 
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Why  use  a  “process”  approach? 


Elevates  the  management  and  coordination  of 
operational-resiliency  focused  activities  to  the  enterprise: 

•  Shared  view  of  risk,  goals,  and  resources 

•  Elimination  of  redundancy  and  stovepipes 

•  Elimination  of  “practice  quagmire”  by  selecting 
meaningful  practices  that  fit  the  process  definition 

•  Ability  to  set  goals  and  measure  process  effectiveness 

•  Ability  to  inculcate  and  nurture  a  process  improvement 
culture 
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How  will  the  framework  be  used? 


Establish  current  level  of  capability 

Set  forward-looking  resiliency  goals  and  targets 

Develop  plans  to  close  identified  gaps 

Build  resiliency  into  important  assets  and  architectures 

Reduce  reactionary  activities;  shift  to  directing  and 
controlling  activities 

Align  common  practices  with  processes  to  achieve 
process  goals 
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Future  activities 


Release  REF  vl  .0  in  October  2006  for  comments 

Guidelines  for  improving  the  security  and  business 
continuity  processes 

Phase  III  expansion  of  model  development  and  piloting 

Exploration  of  integration  with  other  existing  models 

Development  of  appraisal  methodology  to  measure 
capability  for  managing  resiliency 
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Phase  I  and  Phase  II  Project  Members 


Ameriprise 

Key  Bank 

Bank  of  America 

KPMG 

Carnegie  Mellon 

MasterCard 

Capital  Group 

Marshall  and  llsley 

Citicorp 

NY  Federal  Reserve  Bank 

Discover 

SunGard 

DRII 

Trizec  Properties 

DRJ 

US  Bank 

IBM 

Wachovia 

JPMorgan  Chase 
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For  more  information 


Rich  Caralli 

Software  Engineering 
Institute 

www.sei.cmu.edu 

www.cert.org 

rcaralli@cert.org 


CERT  I  ~ 


Software  Engineering  Institute 


Charles  Wallen 

Financial  Services 
Technology  Consortium 

www.fstc.org 

charles.wallen@fstc.org 
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Introducing  the  Resiliency 
Engineering  Framework 


Carnegie  Mellon 


Software  Engineering  Institute 
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Framework  architecture 


Represents  processes  that  span  four  basic  areas: 

•  Enterprise  management 

•  Engineering 

•  Operations  management 

•  Process  management 

Considers  the  resiliency  of  people,  information, 
technology,  and  facilities  in  the  context  of  services  and 
business  objectives 
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Enterprise  management  processes 


Enterprise  capabilities  that 
are  essential  to  supporting 

the  resiliency  engineering  risk  -  Risk  Management 

process  ef  -  Enterprise  Focus 

COMP  -  Compliance  Management 

FRM  -  Financial  Resource 
Management 

HRM  -  Human  Resource  Management 
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Operations  management  processes 


Capabilities  focused  on  sustaining  an  adequate  level  of  operational 
resiliency 


SAM  -  Supplier  Agreement 
Management 

SRM  -  Supplier  Relationship 
Management 

AMC  -  Access  Management  and 
Control 

IMC  -  Incident  Management  and 
Control 


VM  -  Vulnerability  Management 

EC  -  Environmental  Control 

KIM  -  Knowledge  and  Information 
Management 

SOM  -  Security  Operations 
Management 

ITOPS  -  IT  Operations  Management 
TM  -  Technology  Management 
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Engineering  processes 


Capabilities  focused  on  establishing  and  implementing  resiliency  for 
organizational  assets,  business  processes,  and  services 


RRD  -  Requirements  Definition 

RRM  -  Requirements  Management 

ADM  -  Asset  Definition  and 
Management 

SM  -  Survivability  Management 

REST  -  Restoration  of  Operations 
Planning 


CM  -  Controls  Management 

RADA  -  Resilient  Architecture 
Development  and  Acquisition 
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Process  management  processes 


Enterprise  capabilities 
related  to  defining,  planning, 
deploying,  implementing, 
monitoring,  controlling, 
appraising,  measuring,  and 
improving  processes 


OTA  -  Organizational  Training  and 
Awareness 

PM  -  Process  Management 
MA  -  Measurement  and  Analysis 
MON  -  Monitoring 
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